factory-installed bios-resident malware in new computers? RPCNET.EXE

[VirtualLarry]

http://www.neuber.com/taskmanager/process/rpcnet.exe.html

I just recently purchased an Acer Aspire V5 laptop, and when I got it, I pulled the 500GB HDD, installed my own 80GB SSD, and installed Win7 64-bit fresh.

fast-forward a few days. I open task manager, look at the processes tab, then click "Show processes from all users".

Well, lo and behold, there's this "rpcnet.exe" *32 running. Looking at the properties, it's not part of Windows, nor a Microsoft file.

According to the above, it's part of Lo-Jack for laptops. Only, I do NOT have that installed.

I want to get rid of this spyware. Is it possible?

Edit: found this:
http://www.freakyacres.com/remove_computrace_lojack

Think I'll just return it. This spying crap is unbelievable.

 

[Chiefcrowe]

never heard of this before! did you try running the removal process yet or contact the company?

 

[VirtualLarry]

https://en.wikipedia.org/wiki/CompuTrace#for_Laptops

According to that, it ships disabled. If so, then who enabled it on my new PC?

Edit: The "removal" process involves BIOS hacking and re-flashing.

http://www.techspot.com/community/topics/rpcnet-exe-explained-and-work-around.68882/
"Here's something else that works

If you deny Read & Execute permissions to both rpcnetp.exe and rpcnetp.dll and remove all of the registry entries for rpcnetp.*, the service no longer runs and the values no longer return to the registry."

That seemed to have helped. After setting DENY on "Read & Execute" for SYSTEM uer on RPCNET*.* files, and rebooting, I no longer show RPCNET.EXE running. Whether or not there is another service also running in the background, I do not know. I did not go into my registry to remove services entries.

 

[JEDIYoda]

personally I think you are going over the deep end over nothing as far as I can tell!

Rpcnet.exe Description :
Remote Procedure Call (RPC) Net service found pre-installed on laptops from a number of manufacturers, such as Gateway for example, and which is a core service of Absolute Software's LoJack laptop anti-theft protection software. The LoJack system is one where you go through a procedure to register your laptop's details with Absolute Software. During the registration process this particular service communicates with the Absolute Software servers to establish a unique identification (ID) for your laptop. From then on this service communicates once a day with the Absolute Software servers to let them know where this laptop is (through giving details of the IP address that your laptop is operating from). If your laptop is stolen, you simply login to the Absolute Software website (or you can call them) and report your laptop as stolen. If the thieves have used the laptop since stealing it, and if they were connected to the Internet when they did so, the laptop will have communicated its IP address location to the Absolute Software servers. You can then liaise with Absolute Software and the Police to attempt to recover your laptop.
Rpcnet.exe Recommendation :
Even if you have never used the LoJack software (ie: you have never registered your laptop), we recommend that you leave this background service enabled. The reason for this recommendation is that this service is just the tip of the iceberg as regards what the LoJack system consists of. Part of the LoJack system includes modifications to the computer's BIOS, the small control program which operates and starts your PC and then loads Windows. Given that some versions of the LoJack system include the ability for you not only to report the laptop as stolen, but to also remotely instruct the LoJack system to delete everything on your laptop (files and Windows!), and given that all this particular background service does is communicate only the IP address location of your laptop together with its serial number and other similar hardware information (it does not communicate anything else about your laptop, your data, your browsing habits), we prefer to recommend leaving it running as we are not fully certain of all the consequences if you decide to stop it from running.

This background service normally uses only 1Mb to 5Mb of memory on the overwhelming majority of PCs, and uses next to nothing as regards CPU resources. On the odd PC this background service may occasionally use more memory, up to 16Mb.

 

[John Connor]

Yeah, that's LoJack. I was doing research on LoJack for computers and even when you remove the process it continues to phone home though BIOS. Someone turned it on in you computer in BIOS. I would return the computer for a new one which doesn't have it turned on.

Mine is off by default. Since I built the laptop from eBay for only ~$150 and set the password on the hard drive I don't have too much here to lose and doubtful anyone will break the hard drive password. I do have a tool I downloaded from P2P that is for Dell computers that may be able to give me a default password and log me in. I'll have to test it and see what happens.

Since I was doing research on Lojack for computers can you go into BIOS and tell me if there is a setting there? It should have no option to turn off anymore since someone enabled it, but I'm curious as to whether it shows up in BIOS.

 

[VirtualLarry]

Yeah, that's LoJack.
Since I was doing research on Lojack for computers can you go into BIOS and tell me if there is a setting there? It should have no option to turn off anymore since someone enabled it, but I'm curious as to whether it shows up in BIOS.

No BIOS option. I'm curious how the BIOS "phones home" without the Windows part of the agent running.

I'm a bit upset that this crap apparently came enabled from the factory.

Edit: Btw, JY, you can just stuff it. I'm sure that you wouldn't mind wearing a tracking ankle bracelet, either, right? Just in case you might be kidnapped by mexican drug dealers some day?

 

[smakme7757]

I was able to disable this in my BIOS on my Dell machine, so it's strange you don't have a similar option in yours (Mine was the Intel Anti theft stuff).

On my Dell it's like a root-kit that's embedded in a ROM chip on the motherboard. It will then inject the code into the OS when it's formatted and reinstalled. The purpose is of course to enable the owner to find their stolen property.

You could try this to disable the process:
http://www.freakyacres.com/remove_computrace_lojack

 

[VirtualLarry]

I was just recently informed that there is an actual additional chip installed on the board, which watches over the system, and that my swapping out of the HDD for an SSD may have triggered it to activate.

SOO STUPID!

 

[ch33zw1z]

Don't worry VL, they know what's best for you.

 

[Ketchup]

I could see how manufacturers could make this sound like an awesome idea, but the lack of being upfront about this thing would cause some frustration for me, personally.

I am sure there are people out there who's "lives were saved" from the built-in Lajack, but considering the times we are in, it just looks like another method of lurking on people.